Hi all,
Putting on my "documentation" hat, these use cases need to be documented
well enough to allow a person who has not read this thread to carry them
out (without starting a new thread again). It is not sufficient to use
TB_SUPPORT as a final repository for ops procedures, although it is
perfect for refining procedures in the first place. So I suggest we write
:
1) use case name: Remove email addresses from DNs
2) description or summary: blah blah blah
3) steps required: 1) blah, 2) blah, 3) blah
4) related use cases (e.g. new host cert, change host cert details, renew
host cert, delete/revoke host cert etc).
We could put that on the Wiki and need never revist this again. I suggest
all cert maintenance procedures should be classified as KeyDocs, as it is
a bit of a showstopper when these things don't work.
Cheers,
Steve
> Excellent - so if anyone on this list has any single (as opposed to bulk)
> certs that they want to lose their deprecated emailAddress field it
> *SHOULD* just be straightforward - just Apply for a new one.
>
> Weird how it didn't work for you before (and failed on both CW and
> OpenCA), especially as we haven't made any changes to CW - anyway it is
> sorted now ... at least for your first 2.
>
> 40 is just about manageable - some chaps have hundreds! I can't remember
> what the record was for a single bulk request, but Jens probably does.
>
> Speak to Jens - the issue that Govind had (PeCR not working with renewing
> a host cert that was already lacking an emailAddress) doesn't match your
> issue so I still don't get why old PeCR doesn't work for you for your
> bulk.
> The issue could be related though so maybe Jens can take a look at your
> errors and see if that PeCR bug
> affects your situation too.
>
> Cheers
>
> JK
>
> From: Testbed Support for GridPP member institutes
> [mailto:[log in to unmask]] On Behalf Of Daniela Bauer
> Sent: 26 March 2013 16:27
> To: [log in to unmask]
> Subject: Re: CertWizard + Java
>
> Hi John,
> it now works using the cert wizard. (I'm sitting in a gridpp meeting, so
> I used my laptop and the webstart.)
> It didn't work when I tried it earlier this day though (same version of
> the cert wizard)?!
> Two certs down, 38 to go...
>
> Cheers,
> Daniela
>
> On 26 March 2013 15:51, John Kewley
> <[log in to unmask]<mailto:[log in to unmask]>> wrote:
> Thanks for that information. Now I now what you are trying to so. So I
> tried to replicate the issue.
>
> Good news (well sort of anyway)!
>
> I have just successfully requested a new certificate for
> sedsk15.grid.hep.ph.ic.ac.uk<http://sedsk15.grid.hep.ph.ic.ac.uk> using
> 1.6 java compatible version of CW
>
> I then deleted my request and tried using the OpenCA i/f. I also managed
> to create a new cert using that.
> I'll now go and remove that request too.
>
> The only differences were that I used my email address
>
> I won't try PeCR since I think jens is looking at some issues with that.
>
> So I don't lose my sanity, can you just try the same:
>
> 1. Use CW (whichever version works with your Java)
>
> 2. Go to the Manage certs screen
>
> 3. Select your personal certificate
>
> 4. Select "Apply for Cert"
>
> 5. Enter Imperial/Physics for the RA
>
> 6. sedsk15.grid.hep.ph.ic.ac.uk<http://sedsk15.grid.hep.ph.ic.ac.uk>
> for the CN
>
> 7. Etc
>
> If it doesn't work can you let me know:
>
> * What OS
>
> * What Java
>
> * Which CW download - was it a zip / webstart/launch whatever
>
> Then try using the OpenCA web i/f?
>
> If neither work (which you say didn't work before) then let me know.
>
> Cheers
>
> JK
>
> From: Testbed Support for GridPP member institutes
> [mailto:[log in to unmask]<mailto:[log in to unmask]>] On
> Behalf Of Daniela Bauer
> Sent: 26 March 2013 15:29
>
> To: [log in to unmask]<mailto:[log in to unmask]>
> Subject: Re: CertWizard + Java
>
> Hi John,
> I am trying to get the email adress in the hostcert removed, that's what
> the whole threat is about.
> I have an old certificate (in use, hence no revoking) and I am trying to
> get a new one (sans email address). So I can't renew (keeps the email
> address) and I cannot ask for a new one, because certwizard/pecr/webpage
> (I've tried all three now), complain (correctly) that I already have a
> valid hostcert for the machine in question.
> I've tried it with
> sedsk15.grid.hep.ph.ic.ac.uk<http://sedsk15.grid.hep.ph.ic.ac.uk>.
> As Jens mentioned, I don't think certwizard is the best tool to
> renew/request certificates in bulk, typing in 40+ hostnames is asking for
> trouble.
> I am the RA, so if I revoke a cert, will that not be automatically
> approved ?
> Cheers,
> Daniela
>
>
> On 26 March 2013 15:08, John Kewley
> <[log in to unmask]<mailto:[log in to unmask]>> wrote:
>> I just tried the cert wizard, with the same result: cannot get a new
>> cert, the old one exists.
> If we are to work out what is going on then we need a few more details.
> What I have stated several times on this forum is how it should work so if
> it doesn't then we need to be able to work out what the bugs are.
>
> Answers to some or all of the following may help:
> * Why do you want a new certificate when an old one already exists?
> * Do you have possession of the old one and is it in use?
> * Is it to remove an emailAddress from the DN? If not, why can't you
> renew?
> * What is the certificate number you are using?
>
>> It doesn't recognise it as a new DN.
>> So I am relying on a revocation not being approved (I guess it would
>> have to come
>> from someone who is not me as I am the RA) and hope I can get
>> the new cert before this filters through the system.
> If you say to your RA Op - "Please don't approve this request" then you
> are relying on him/her to adhere to your requests in the same way as when
> applying for a renewal you are relying on him/her to approve it before
> your old one expires - I don't see this is an issue, unless you have
> reasons to be distrustful of your RA's RA Ops.
>
> There is nothing to filter through the system - it will sit there forever
> if the request isn't approved.
>
>> Some small bit in my mind wants to scream.
> I feel I am repeating myself as well, so let's see if we can get some info
> on why it isn't working
>
> JK
> --
> Scanned by iCritical.
>
>
>
> --
> Sent from the pit of despair
>
> -----------------------------------------------------------
> [log in to unmask]<mailto:[log in to unmask]>
> HEP Group/Physics Dep
> Imperial College
> Tel: +44-(0)20-75947810<tel:%2B44-%280%2920-75947810>
> http://www.hep.ph.ic.ac.uk/~dbauer/<http://www.hep.ph.ic.ac.uk/%7Edbauer/>
>
>
> --
> Scanned by iCritical.
>
>
>
>
> --
> Sent from the pit of despair
>
> -----------------------------------------------------------
> [log in to unmask]<mailto:[log in to unmask]>
> HEP Group/Physics Dep
> Imperial College
> Tel: +44-(0)20-75947810
> http://www.hep.ph.ic.ac.uk/~dbauer/
>
> --
> Scanned by iCritical.
>
>
|